[Samba] samba_upgradeprovision and msDS-SupportedEncryptionTypes / msDS-NcType

Andrew Bartlett abartlet at samba.org
Fri Feb 22 04:48:11 MST 2013 

On Wed, 2013-02-20 at 09:09 -0800, Gregory Sloop wrote:
> 
> DE> Originally I had a Win 2003 DC. I added a samba 4.0.0 DC to the
> DE> domain, allow full replication to take place and then transferred all
> DE> the roles to the samba 4.0.0 dc. Finally I removed the Windows DC from
> DE> the domain.
> 
> DE> Everything has been working well. Today I upgraded from samba 4.0.0 to
> DE> 4.0.3 and ran samba_upgradeprovision --full. Initially this was
> DE> failing in update_present throwing an exception when attempting to
> DE> modify msDS-NcType and msDS-SupportedEncryptionTypes attributes which
> DE> didn't exist. I was able to get the upgradeprovision to run to
> DE> completion by removing these from the deltas
> 
> DE> i.e.,
> DE>             delta.remove('msDS-SupportedEncryptionTypes')
> DE>             delta.remove('msDS-NcType')
> 
> DE> Everything seems to be up-and-running again at 4.0.3, so it went well.
> DE> However, if these attributes are missing - a) shouldn't I get these
> DE> attributes added? b) why don't these show up as missing attributes on
> DE> the samba-tool dbcheck?
> 
> I can't help you at all, but over the last week or so, Andrew Bartlett
> has mentioned, IIRC, that the upgradeprovision should not be run to
> upgrade a 4.0.x box to 4.0.3.
> 
> Essentially, as I understand it, the code is only working properly for
> alpha version upgrades, and it was too dangerous to recommend for use
> for a production version [4.0.x].
> 
> Hopefully someone else will chime in here that knows more than I.
> 
> Just thought if you hadn't seen those messages - that might explain
> the source of the problems you have.

Indeed, if the domain originally came from windows, then
upgradeprovision should NOT be run.  Indeed, I would have hoped that the
tool would detect this and would not attempt an upgrade, but clearly
this fails.

A backup was made before the upgradeprovision process, and I hope you
tool your own backup.  Please revert to one of these backups, file a bug
along these lines and do not use this tool until I can add more safety
checks. 

Andrew Bartlett
-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list